August 02, 2002

There's been a nasty OpenSSH

There's been a nasty OpenSSH hack. I got this from CERT in my mailbox this morning

Overview

The CERT/CC has received confirmation that some copies of the source
code for the OpenSSH package were modified by an intruder and contain
a Trojan horse.

We strongly encourage sites which employ, redistribute, or mirror the
OpenSSH package to immediately verify the integrity of their
distribution.

I. Description

The CERT/CC has received confirmation that some copies of the source
code for the OpenSSH package have been modified by an intruder and
contain a Trojan horse. The following advisory has been released by
the OpenSSH development team

http://www.openssh.com/txt/trojan.adv

The following files were modified to include the malicious code:

openssh-3.4p1.tar.gz
openssh-3.4.tgz
openssh-3.2.2p1.tar.gz

These files appear to have been placed on the FTP server which hosts
ftp.openssh.com and ftp.openbsd.org on the 30th or 31st of July, 2002.
The OpenSSH development team replaced the Trojan horse copies with the
original, uncompromised versions at 13:00 UTC, August 1st, 2002. The
Trojan horse copy of the source code was available long enough for
copies to propagate to sites that mirror the OpenSSH site.

The Trojan horse versions of OpenSSH contain malicious code that is
run when the software is compiled. This code connects to a fixed
remote server on 6667/tcp. It can then open a shell running as the
user who compiled OpenSSH.

II. Impact

An intruder operating from (or able to impersonate) the remote address
specified in the malicious code can gain unauthorized remote access to
any host which compiled a version of OpenSSH from this Trojan horse
version of the source code. The level of access would be that of the
user who compiled the source code.

First time visitor to House Hraka? Wondering if everything we produce could possibly be as brilliant/stupid/evil/pedantic/insipid/inspired as the post you just read? Check out the Hraka Essentials, the (mostly) reader-selected guide to Hraka's best posts, and decide for yourself.

Comments

Post a comment Note: Comments with more than two dashes per line will be blocked as spam.